Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-3101

OnPrem1.4: Updates to instructions for configuring Jetty to run HTTPS

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • v1.3.5, mms-1.4
    • Affects Version/s: None
    • Component/s: Cloud Manager
    • Labels:
      None

      On-Prem 1.4 brings some configuration changes for the Configuring Jetty for HTTPS. Details are below, but the highlights to the change are:

      • Now a distinction between keystore and truststore
      • The monitoring agent now validates SSL certificates by default

      Details

      1.) Typo here

      -If the signed certifcate is PEM format, convert the certificate...
+If the signed certifcate is DER format, convert the certificate...

      2.) New section at start of "Procedure" heading, before "Create Java Keystore"

      Create Java Truststore
Generate Truststore
Import the PEM certificate into a Java truststore, so that the MMS server trusts its own "mms.centralUrl" when making HTTP requests:

/opt/mongodb/mms/jdk/bin/keytool -import -keystore mms-truststore.jks -file mms-ssl-unified.crt 

Replace /opt/mongodb/mms with the path of the installation directory for the MMS server. /opt/mongodb/mms is the default installation directory.

keytool will prompt to specify a Java keystore passphrase, as well as a yes/no confirmation to import the certificate.

      3.) Set Truststore and Keystore Location and Permissions

      Issue the following sequence of commands to move the Java keystore and truststore files to the /etc/mongodb-mms directory and set the appropriate permissions:

sudo mv mms-truststore.jks mms-keystore.jks /etc/mongodb-mms/
sudo chown mongodb-mms:root /etc/mongodb-mms/*.jks
sudo chmod 600 /etc/mongodb-mms/*.jks
If the MMS application server runs as a different user, change mongodb-mms in the chown command as needed.

      4.) Configure MMS Application to use SSL

      JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStorePath=/etc/mongodb-mms/mms-truststore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"

JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"

      5.) New section after "Restart MMS Application Server"

      Starting with On-Prem MMS 1.4, the monitoring agent validates the SSL certificate of the MMS server by default. This means the monitoring agent must be configured to trust the MMS server if not using a certificate signed by a trusted 3rd party.

To specify a self-signed certificate of the MMS server that the monitoring agent should trust, first copy your PEM certificate to /etc/mongodb-mms/

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt

Then edit the following parameter in /etc/mongodb-mms/monitoring-agent.config:

sslTrustedMMSServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt

Restart your monitoring agent for the configuration update to take effect:

sudo /etc/init.d/mongodb-mms-monitoring-agent restart

            Assignee:
            Unassigned Unassigned
            Reporter:
            john.morales@mongodb.com John Morales (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:
              9 years, 35 weeks, 1 day ago